💾 Archived View for koyu.space › vydyck › tech › linux › yubikey-ssh.gmi captured on 2022-06-03 at 23:24:29. Gemini links have been rewritten to link to archived content
View Raw
More Information
-=-=-=-=-=-=-
How to use yubikeys with ssh
Initial setup
Follow drduhs elaborate tutorial:
https://github.com/drduh/YubiKey-Guide
local copy
! pay attention to the keytocard part:
I you want to write multiple copies of the private key, eg to multiple yubikeys, DO NOT SAVE during the keytocard pard (save and quit) but CTRL-C after writing all (3) keys to each yubikey and restart the key-edit part
Using the key on a linux system for gpg and ssh
(SSH|GPG) see if your useraccount can access the yubikey via gpg
- gpg --card-status
- you may need to install scdaemon if this returns an error
- if it still does not work, see if gpg --card-status works as root; this indicates a permission issue; can be solved via udev rule or manual command:
(SSH) When that returns details for you card
- echo "use-ssh-agent" > ~/.gnupg/gpg-agent.conf this is a onetime action
- gpg-connect-agent;killagent;bye restart the gpg-agent process if the gpg-agent.conf file needed to be created
- gpgconf --list-dirs should list an agent-ssh-socket dir; you need to set the SSH_AUTH_SOCK variable to that path
- or in one command: export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
- ssh-add -L should now show your public key; you can append this output to the authorized_keys file of your servers, add it to the public key section of your github/gitlab/bitbucket profile, import it as a keypair in amazon ec2, etc...
(GPG) export upload/copy/spread your public key
- The card only stores your private key, you must make sure to export public key and make it available to whomever needs to send you encrypted data, including yourself. On other systems you can import it with gpg --import <filename>
- to encrypt a file "to" yourself, use gpg -e and give it a part of your name, email address,...